Martin Kosek wrote:
On Fri, 2011-09-23 at 14:12 -0400, Rob Crittenden wrote:
Always require SSL in the Kerberos authorization block.

This also corrects a slight bug where if add is True then we always
re-update the file.

rob

ACK. Pushed to master, ipa-2-1.

Martin


Sorry guys, this breaks things pretty badly. We need to be able to allow some non-SSL access to parts of /ipa to fetch configuration and return errors, etc. for those clients that don't trust our CA yet.

Here is a working change, not fully tested yet:

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 2339387..09b4b7a 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -42,10 +42,17 @@ WSGIScriptReloading Off
   SetHandler None
 </Location>

+# Ensure SSL is enabled in our APIs
+<Location "/ipa/xml">
+  NSSRequireSSL
+</Location>
+<Location "/ipa/json">
+  NSSRequireSSL
+</Location>
+

 # Protect /ipa with Kerberos
 <Location "/ipa">
-  NSSRequireSSL
   AuthType Kerberos
   AuthName "Kerberos Login"
   KrbMethodNegotiate on
@@ -114,6 +121,7 @@ Alias /ipa/ui "/usr/share/ipa/ui"
 # migration related pages
 Alias /ipa/migration "/usr/share/ipa/migration"
 <Directory "/usr/share/ipa/migration">
+    NSSRequireSSL
     AllowOverride None
     Satisfy Any
     Allow from all

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to